After the news cycle recently exploded with the announcement that Google would require every single Android app to be from a registered and verified developer, while killing third-party app stores …
The vast majority of malware isn’t delivered via play store because of the existing measures and protections they have. Same reason you see very little app-store-based malware on iOS. DISCLAIMER: YES MALWARE EXISTS ON APPLE HARDWARE PLEASE DON’T SHOUT AT ME. Talking specifically about anything installed via first party stores on both platforms.
Their main issue is this: dumb people install apks from spurious website and infect their phones. The least controllable and most pervasive factor here is the intelligence and knowledge of the user which cannot be controlled for by Google. So by eliminating the ability to exploit this entirely, it will eliminate that specific vector.
It’s a sledgehammer solution that naturally comes with many downsides like disrupting intelligent and knowledgeable users that just want to hack around with FOSS and such.
Google is relying on It being too expensive for malware creators to have to guide each individual user through adb installation and usage process just to get access to their phone. Most scammers only do that level of interaction to extract actual cash/gift cards from the target.
I am personally and directly affected by their decision in many negative ways, but I’m not so dense as to not understand why they’re doing it.
/corpodronespeak
EDIT: bots help Xitter maintain inflated usage figures which justify people’s jobs, share prices, etc. Bots are a feature, not a bug.
Because it can be invalidated. That’s the difference.
It’s absolutely not foolproof, but nothing is. Most actions corps take for this stuff only slows down the spread. Hackers and bad actors innovate way faster than companies can keep up with. So companies cast a wide net with their solutions. And the cycle continues.
with the new system, you must go online to check if the license for that app is still valid or revoked. But the current system works almost the same: if there’s an internet connection play protect checks the signature against an online malware db and prevents installation.
From a couple years ago, google has the power to remotely install/uninstall any apk on your phone without your consent
The overwhelming majority of Android users don’t even know where to start to install software outside of the Play Store. If they’re even aware that it’s possible.
Corporate needs to have somebody to sue in case of a policy violation. Very especially those debloated apps that float around the web - they need to ensure they have a physical person to pin the blame to in court.
if scammers can open a bank account with stolen identities, i’d assume google, which is entirely run by bots without any human oversight, wouldn’t have a better detection
I presume they are implying that the play store review process will catch compromised apps? Not likely considering how many dodgy apps have been found on play store. It’s just another controlling act.
Google is doing this to comply with EU regulations supposed to increase security. Now imagine that Google was pushing back against this instead of complying. As per usual, Lemmy would be up in arms against Google for failing to protect people’s data and not complying with our laws and culture. You’d be downvoted to oblivion for asked that question and called a corporate bootlicker.
I think these rules come from German legal culture, which traditionally has a strong need to control information exchange and processing.
the way they originally phrased it, it was seemingly because of authoritarian governments like singapore wanting to exert more control (hey google, can you revoke the certificate or doxx this dev for us?) and then they realized that they could make more money if they extended this block worldwide
I’m sure the EU is not the only jurisdiction demanding this sort of thing, but I doubt Singapore has the pull needed to get Google to move.
Brussels effect. Imagine Google were to still allow unverified apps in the US. Most devs would still opt for verification so as not to lose the EU market. The proportion of malware is probably going to be higher among the few remaining unverified apps. Sooner or later, some US scam victims would sue Google for failing to protect them like it protects Europeans. Hard to refute.
Can someone “redpilled by corporate” explain me how this policy actually increase security?
It’s trivial for a malware developer to pay $25 with a stolen card and a stolen id
Look at the “verified” bots on xitter, they didn’t solve the bots problem, rather just monetized it
It’s a lie. Google just wants control.
The vast majority of malware isn’t delivered via play store because of the existing measures and protections they have. Same reason you see very little app-store-based malware on iOS. DISCLAIMER: YES MALWARE EXISTS ON APPLE HARDWARE PLEASE DON’T SHOUT AT ME. Talking specifically about anything installed via first party stores on both platforms.
Their main issue is this: dumb people install apks from spurious website and infect their phones. The least controllable and most pervasive factor here is the intelligence and knowledge of the user which cannot be controlled for by Google. So by eliminating the ability to exploit this entirely, it will eliminate that specific vector.
It’s a sledgehammer solution that naturally comes with many downsides like disrupting intelligent and knowledgeable users that just want to hack around with FOSS and such.
Google is relying on It being too expensive for malware creators to have to guide each individual user through adb installation and usage process just to get access to their phone. Most scammers only do that level of interaction to extract actual cash/gift cards from the target.
I am personally and directly affected by their decision in many negative ways, but I’m not so dense as to not understand why they’re doing it.
/corpodronespeak
EDIT: bots help Xitter maintain inflated usage figures which justify people’s jobs, share prices, etc. Bots are a feature, not a bug.
yes, of course malware is distributed via apk.
But what’s the difference between:
?
Isn’t exactly the same stuff? Or there’s someone that is actually thinking that criminals will use their real ID card for the verification?
Does not change anything for malware distribution, except bother them for a dozen minutes meanwhile they “verify” their stolen ID
Because it can be invalidated. That’s the difference.
It’s absolutely not foolproof, but nothing is. Most actions corps take for this stuff only slows down the spread. Hackers and bad actors innovate way faster than companies can keep up with. So companies cast a wide net with their solutions. And the cycle continues.
Apks can be invalidated after installation?
with the new system, you must go online to check if the license for that app is still valid or revoked. But the current system works almost the same: if there’s an internet connection play protect checks the signature against an online malware db and prevents installation.
From a couple years ago, google has the power to remotely install/uninstall any apk on your phone without your consent
No, the certificate can be invalidated preventing future installations for other users. If you already have it you’re SOOL
No they don’t. Most people don’t even know what an apk even is.
Most people don’t know what a bootloader is. They still turn their devices on and off every day.
This whole conversation is about adding obstacles to prevent non technical users from doing things they don’t fully understand.
The overwhelming majority of Android users don’t even know where to start to install software outside of the Play Store. If they’re even aware that it’s possible.
It’s actually an incredibly common way that they are infected, especially in places where WhatsApp is the default communication platform
Yes you’re right. If they knew, it would likely come with the knowledge that, if someone asks you to do this, you’re probably being scammed.
That’s what makes them most vulnerable to these kinds of scams.
It’s not about stopping malware; it’s about being able to act on malware.
Making a new account with a new phone number and new credit card is a minor barrier to entry.
That said, it’s a cool story, but I think they’re looking to stop vanced style patching.
Corporate needs to have somebody to sue in case of a policy violation. Very especially those debloated apps that float around the web - they need to ensure they have a physical person to pin the blame to in court.
I would assume that you won’t just be able to register with a stolen id and stolen card.
if scammers can open a bank account with stolen identities, i’d assume google, which is entirely run by bots without any human oversight, wouldn’t have a better detection
You don’t think Google have better tech than banks?
Oh boy. You have no idea how old and bad the underlying tech that banks work on is.
I presume they are implying that the play store review process will catch compromised apps? Not likely considering how many dodgy apps have been found on play store. It’s just another controlling act.
Google is doing this to comply with EU regulations supposed to increase security. Now imagine that Google was pushing back against this instead of complying. As per usual, Lemmy would be up in arms against Google for failing to protect people’s data and not complying with our laws and culture. You’d be downvoted to oblivion for asked that question and called a corporate bootlicker.
I think these rules come from German legal culture, which traditionally has a strong need to control information exchange and processing.
the way they originally phrased it, it was seemingly because of authoritarian governments like singapore wanting to exert more control (hey google, can you revoke the certificate or doxx this dev for us?) and then they realized that they could make more money if they extended this block worldwide
I’m sure the EU is not the only jurisdiction demanding this sort of thing, but I doubt Singapore has the pull needed to get Google to move.
Brussels effect. Imagine Google were to still allow unverified apps in the US. Most devs would still opt for verification so as not to lose the EU market. The proportion of malware is probably going to be higher among the few remaining unverified apps. Sooner or later, some US scam victims would sue Google for failing to protect them like it protects Europeans. Hard to refute.